[Bug 1004049] New: /usr/bin/socat ... openpty() is not allowd to do chown of resulting /dev/pts/ device
http://bugzilla.suse.com/show_bug.cgi?id=1004049 Bug ID: 1004049 Summary: /usr/bin/socat ... openpty() is not allowd to do chown of resulting /dev/pts/ device Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: All OS: openSUSE 42.1 Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: werner@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Even with apparmor disabled I see in the strace close(8) = 0 close(7) = 0 chown("/dev/pts/8", 223, 5) = -1 EPERM (Operation not permitted) close(6) = 0 which makes this tool useless for normal users. Beside this: why we do have setcap/getcap installed by default? With this we would be able to set permissions based on capabilities for tools like setcap and ping, ping6, ... in the %post install section of the rpm of the affected tools -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c1 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com --- Comment #1 from Dr. Werner Fink <werner@suse.com> --- Maintainer of socat is meissner@suse.com ;) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c2 --- Comment #2 from Dr. Werner Fink <werner@suse.com> --- The same problem for screen ... oouch -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c3 --- Comment #3 from Marcus Meissner <meissner@suse.com> --- what command line args do you try? I think this is intended actually, as it should have the right permissions on creation. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c4 --- Comment #4 from Dr. Werner Fink <werner@suse.com> --- (In reply to Marcus Meissner from comment #3) Compare with ~werner/bin/vscreen ... a script to start some serial consoles to be able to connect to host pipes from running VirtualBox instances: socat unix-connect:/dev/vboxtty/Factory,oobinline \ pty,link=/dev/vboxtty/PFactory,b38400,parenb=1,cs8,istrip=0,icanon=1 where /dev/vboxtty/PFactory points to e.g. /dev/pts/10 which then will be open by a running screen session. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c5 --- Comment #5 from Dr. Werner Fink <werner@suse.com> --- Btw: My solution is setcap cap_chown+ep /usr/bin/screen setcap cap_chown+ep /usr/bin/socat as root. Similar for ping and ping6 with cap_net_raw+ep -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c6 --- Comment #6 from Marcus Meissner <meissner@suse.com> --- That is a bit of security hole though. this pty usage is a bit over my head. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c7 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@suse.com --- Comment #7 from Dr. Werner Fink <werner@suse.com> --- (In reply to Marcus Meissner from comment #6) Hmm ... pty usage should be possible for progams which depends on pty. Not only xterm, konsole lxterminal. gnome-terminal, but also screen and socat and some other programs do depend on that. You can not use screen and socat without. Btw. for /usr/bin/ping and /usr/bin/ping6 I've set cap_net_raw+ep as otherwise those two programs are useless and should not stay below /usr/bin/ but in /usr/sbin/. IMHO this requires an extension of the concept of /etc/permissions to be able to set capabilities ... with this we might remove capabilities in the secure and paranoid, but add them in default and/or easy. Such an extension coould be # Format: # <file> <owner>:<group> <permission> [<capabilit(y/ies)>] that means an optional fourth column to set capabilities or if absent to remove any capabilities -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c8 --- Comment #8 from Ludwig Nussel <lnussel@suse.com> --- what's the chown good for? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c9 --- Comment #9 from Dr. Werner Fink <werner@suse.com> --- (In reply to Ludwig Nussel from comment #8) The openpty(3) code of the glibc does a chown on the resulting /dev/pts/<num> and this return with EPERM. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c10 --- Comment #10 from Ludwig Nussel <lnussel@suse.com> --- the devices appear there with the correct owner already. There is not need for chown and I don't see it happen on my 42.2 installation. Screen has no special permissions here and opens ptys just fine. Anything else would be surprising :) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c11 --- Comment #11 from Dr. Werner Fink <werner@suse.com> --- (In reply to Ludwig Nussel from comment #10) This does not solve the problem on Leap 42.1 where opentty(3) does a chown(2) ... btw: I've running a Leap 42.2 here in a VM and ... let's see ... OK for werner via NIS it does not, but for the local user linux 27408 open("/dev/ptmx", O_RDWR) = 5 27408 statfs("/dev/pts", {f_type="DEVPTS_SUPER_MAGIC", f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 27408 rt_sigaction(SIGCHLD, {SIG_DFL, [], SA_RESTORER|SA_RESTART, 0x7f2060c9b950}, {0x406510, [], SA_RESTORER|SA_RESTART, 0x7f2060c9b950}, 8) = 0 27408 ioctl(5, TCGETS, {B38400 opost isig icanon echo ...}) = 0 27408 ioctl(5, TIOCGPTN, [1]) = 0 27408 stat("/dev/pts/1", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 27408 ioctl(5, TCGETS, {B38400 opost isig icanon echo ...}) = 0 27408 ioctl(5, TIOCGPTN, [1]) = 0 27408 stat("/dev/pts/1", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 27408 getuid() = 1000 27408 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 6 27408 connect(6, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = 0 27408 sendto(6, "\2\0\0\0\f\0\0\0\6\0\0\0group\0", 18, MSG_NOSIGNAL, NULL, 0) = 18 27408 poll([{fd=6, events=POLLIN|POLLERR|POLLHUP}], 1, 5000) = 1 ([{fd=6, revents=POLLIN|POLLHUP}]) 27408 recvmsg(6, {msg_name(0)=NULL, msg_iov(2)=[{"group\0", 6}, {"\310O\3\0\0\0\0\0", 8}], msg_controllen=20, [{cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, [7]}], msg_fla gs=MSG_CMSG_CLOEXEC}, MSG_CMSG_CLOEXEC) = 14 27408 mmap(NULL, 217032, PROT_READ, MAP_SHARED, 7, 0) = 0x7f20618ad000 27408 close(7) = 0 27408 close(6) = 0 27408 ioctl(5, TIOCSPTLCK, [0]) = 0 27408 rt_sigaction(SIGCHLD, {0x406510, [], SA_RESTORER|SA_RESTART, 0x7f2060c9b950}, {SIG_DFL, [], SA_RESTORER|SA_RESTART, 0x7f2060c9b950}, 8) = 0 27408 ioctl(5, TCFLSH, 0x2) = 0 27408 ioctl(5, TIOCPKT, [1]) = 0 27408 fcntl(5, F_SETFL, O_RDONLY|O_NONBLOCK) = 0 27408 ioctl(5, TCFLSH, 0x2) = 0 27408 chown("/dev/pts/1", 1000, 5) = 0 27408 chmod("/dev/pts/1", 0620) = 0 27408 brk(0xf77000) = 0xf77000 and at exit 27408 access("/var/run/utmpx", F_OK) = -1 ENOENT (No such file or directory) 27408 open("/var/run/utmp", O_RDONLY|O_CLOEXEC) = 6 27408 lseek(6, 0, SEEK_SET) = 0 27408 alarm(0) = 0 27408 rt_sigaction(SIGALRM, {0x7f2060d836b0, [], SA_RESTORER, 0x7f2060c9b950}, {SIG_DFL, [], 0}, 8) = 0 27408 alarm(10) = 0 27408 fcntl(6, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 27408 read(6, "\2\0\0\0\0\0\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 27408 read(6, "\7\0\0\0(\f\0\0tty1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 27408 read(6, "\1\0\0\0005\0\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 27408 read(6, "\10\0\0\0\375j\0\0pts/1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 27408 read(6, "", 384) = 0 27408 fcntl(6, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0 27408 alarm(0) = 10 27408 rt_sigaction(SIGALRM, {SIG_DFL, [], SA_RESTORER, 0x7f2060c9b950}, NULL, 8) = 0 27408 chmod("/dev/pts/1", 0666) = 0 27408 chown("/dev/pts/1", 0, 0) = -1 EPERM (Operation not permitted) there is a chown -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c12 --- Comment #12 from Dr. Werner Fink <werner@suse.com> --- I'd really like to know *why* I've to change the capabilities for socat, screen, ping, and ping6 on 42.1 whereas it works on 42.2? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c13 --- Comment #13 from Ludwig Nussel <lnussel@suse.com> --- me too :-) Sounds like a bug somewhere -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c14 --- Comment #14 from Dr. Werner Fink <werner@suse.com> --- 've this seen on four latest 42.1 ... that two installation at home (desktop and notebook) and the two workstations here below my desk -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c19 Tomáš Chvátal <tchvatal@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX --- Comment #19 from Tomáš Chvátal <tchvatal@suse.com> --- This is automated batch bugzilla cleanup. The openSUSE 42.3 changed to end-of-life (EOL [1]) status. As such it is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of openSUSE (At this moment openSUSE Leap 15.1, 15.0 and Tumbleweed) please feel free to reopen this bug against that version (!you must update the "Version" component in the bug fields, do not just reopen please), or alternatively create a new ticket. Thank you for reporting this bug and we are sorry it could not be fixed during the lifetime of the release. [1] https://en.opensuse.org/Lifetime -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1004049 https://bugzilla.suse.com/show_bug.cgi?id=1004049#c20 Cristian Rodr�guez <crrodriguez@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- OS|openSUSE 42.1 |All --- Comment #20 from Cristian Rodr�guez <crrodriguez@opensuse.org> --- This bug was fixed in glibc commit https://github.com/bminor/glibc/commit/27fe5f2e67a0e4cc0526b1b32b55f8e519075... -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com